Anyone happen to run across this same issue.....We run wired 802.1x on all of our switch ports. Majority of our desktop clients are Windows XP SP3. We used PEAP-MSCHAPV2 with a public certificate signed by the Thawte CA within radiator. In my PEAP configuration on the XP clients I tell the client to validate the certificate but have NO CA's selected from the certifcate trust store. This will allow a certificate signed by any of the CA's that are in the CA cert store to be validated properly. This works like a charm under XP with no problems. I'm aware of the potential downside and consequences of attacks doing it this way.
We now have some Windows 7 Enterprise clients going out the door and have configured them in exactly the same way, having the client validate the cert against any of the CA's (ie: NO CA's are checked). This should use any certificate signed from any of the CA's within the Windows CA Cert store. The Windows 7 docs on Technet even say this should work: http://technet.microsoft.com/en-us/library/dd759154.aspx In step 5c: "If no trusted root CAs are selected, then clients trust all trusted root CAs in their trusted root certification authority store" This doesn't appear to be the case. If I don't select any trusted CA's from this list the authentication fails against radiator and I get the following in the radiator log file which indicates that the client rejected the cert: Mon Jan 30 11:18:41 2012: INFO: Access rejected for host/MYCOMP-019489.domain.tld: EAP PEAP TLS read failed Mon Jan 30 11:18:41 2012: ERR: EAP PEAP TLS read failed: 19339: 1 - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied Looking at the client supplicant logs I can see that the client does reject it because no CA is selected. If I go back and select only the Thawte Primary Root CA, then authentications work properly and the client can connect without issues. I know this isn't a radiator thing, just wondering if others have ran across this inconsistency with Windows 7 at all. Not sure if a recent Windows patch broke the functionality as it was originally as explained in the above Technet article or if it just never worked. I'll probably open a case with MS to verify but I'm pretty sure others have probably run across this already. --greg Gregory A. Fuller - CCNP, CCNA Security Network Manager State University of New York at Oswego Phone: (315) 312-5750 http://www.oswego.edu/~gfuller _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
